From: millert Date: Thu, 22 Jan 2015 20:44:05 +0000 (+0000) Subject: Document that changes made to the directory hierarchy of the chroot X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=50a993057be0e28423998448d7d202550934c284;p=openbsd Document that changes made to the directory hierarchy of the chroot jail may inadvertanly allow a process to escape. Also mention the problem of directory fd passing. Based on a diff from deraadt@ --- diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2 index d1d02922df1..2a0435e8945 100644 --- a/lib/libc/sys/chroot.2 +++ b/lib/libc/sys/chroot.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: chroot.2,v 1.21 2015/01/19 15:54:11 millert Exp $ +.\" $OpenBSD: chroot.2,v 1.22 2015/01/22 20:44:05 millert Exp $ .\" $NetBSD: chroot.2,v 1.7 1995/02/27 12:32:12 cgd Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 .\" -.Dd $Mdocdate: January 19 2015 $ +.Dd $Mdocdate: January 22 2015 $ .Dt CHROOT 2 .Os .Sh NAME @@ -116,3 +116,8 @@ system call first appeared in .At v7 . .Sh CAVEATS There are ways for a root process to escape from the chroot jail. +Changes to the directory hierarchy made from outside the chroot jail +may allow a restricted process to escape, even if it is unprivileged. +Passing directory file descriptors via +.Xr recvmsg 2 +from outside the chroot jail may also allow a process to escape.